Vulnerabilities that went undetected for a decade left thousands of macOS and iOS apps susceptible to supply-chain attacks. Hackers could have added malicious code compromising the security of millions or billions of people who installed them, researchers said Monday.
The vulnerabilities, which were fixed last October, resided in a βtrunkβ server used to manage CocoaPods, a repository for open source Swift and Objective-C projects that roughly 3 million macOS and iOS apps depend on. When developers make changes to one of their βpodsββCocoaPods lingo for individual code packagesβdependent apps typically incorporate them automatically through app updates, typically with no interaction required by end users.
Code injection vulnerabilities
βMany applications can access a userβs most sensitive information: credit card details, medical records, private materials, and more,β wrote researchers from EVA Information Security, the firm that discovered the vulnerability. βInjecting code into these applications could enable attackers to access this information for almost any malicious purpose imaginableβransomware, fraud, blackmail, corporate espionageβ¦ In the process, it could expose companies to major legal liabilities and reputational risk.β